Network hijacking generally refers to the tampering of network returned data, which can be divided into two categories according to different modified data

  • DNS hijacking

DNS hijacking refers to tampering with the RESOLVED IP address of A domain name. When accessing domain name A, the IP address of domain name B is resolved.

DNS Domain name resolution refer to the PRINCIPLES of DNS query

  • HTTP hijacked

HTTP hijacking is mainly through the analysis of HTTP returned data and tamper (add, delete, change), generally we often see a small advertisement on the web page, may be caused by HTTP hijacking.

An attacker of a network hijack

Operator! Operator! Operator!

All the hijacking we’ve seen has been done by operators like Telecom, Unicom, Mobile and a bunch of secondary agents. So we also call it carrier hijacking.

Why carriers?

We have to go through the agent of the operator to connect to the Internet, they are the only way for Internet users to connect to the Internet. The carrier requests the Internet and obtains data on behalf of the user. So they can naturally manipulate the data they return. During domain name resolution, the parsed IP address is tampered with and the false IP address is returned to the user, resulting in DNS hijacking. When the data is returned, the content of the data is analyzed and tampered with, creating HTTP hijacking.

Why would a carrier do that?

As the saying goes, no profit, no early, in the Internet era, traffic is money, operators in the normal page to add small ads, let small ads rub a variety of sites traffic, get a great exposure. By working with advertisers, it’s not very profitable.

Who did it violate?

Operators maliciously tamper with data not only affects user experience, but also easily misleads users. At the same time to the website operators caused very bad influence, often become back pot man. (Have you ever thought that small ads are all ads that websites receive?)

Prevention of network hijacking

DNS hijacking

There’s really nothing we can do about DNS hijacking. However, the country also has a ban on DNS hijacking of operators, so there is generally not now.

HTTP hijacked

It is important to note that HTTP hijacking typically ends with inserting a third-party script or Iframe (the advantage of this is that it is easy to modify and maintain malicious code uniformly)

How to prevent HTTP hijacking is the focus we are going to talk about today, is also the high incidence of network hijacking type.

  1. Complain to the operator and inform them to complain to the Ministry of Industry and Information Technology if they do not solve the problem.

  2. Use API (MutationObserver) to dynamically monitor THE DOM modification, judge the abnormal DOM (such as SRC attribute exception sciPRT tag, IFrame) and remove it in time

  3. The whole site uses HTTPS, including the CDN’s back source (back source). After HTTPS is used, even if the carrier hijacks the data, it cannot analyze the encrypted data and modify the data easily.

  4. CSP, using the content security protocol, sets up a domain name whitelist to filter out illegal domain names, thus preventing malicious scripts and iframes from loading.

reference

  • This is the CDN back to the source principle and CDN multi-level caching ah!

  • Dry! Anti-carrier hijacking

  • CSP – the first line of defense of front end security

  • Content Security Policy (CSP